Skip to content

experimentation

experimentation #4

Workflow file for this run

name: build
on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
push:
branches:
- main
paths-ignore: # don't rebuild if only documentation has changed
- "**.md"
pull_request:
workflow_dispatch:
# Only deploys the branch named "live". Ignores all other branches, to allow
# having "development" branches without interfering with GHCR image uploads.
jobs:
push-ghcr:
name: Build and push image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
arch: [amd64]
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v10
with:
root-reserve-mb: 10240
remove-dotnet: 'true'
remove-android: 'true'
remove-haskell: 'true'
remove-codeql: 'true'
remove-docker-images: 'true'
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Install cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
uses: sigstore/[email protected]
- name: Add yq (for reading desc.yml)
uses: mikefarah/[email protected]
# important here is to lowercase image related variables like IMAGE_REGISTRY
# and IMAGE_NAME because docker does not allow uppercase chars in the whole image name.
- name: Gather image data from description
run: |
echo "IMAGE_TITLE=$(yq '.title' ./desc.yml)" >> $GITHUB_ENV
echo "IMAGE_NAME=${GITHUB_REPOSITORY_OWNER@L}/$(yq '.name | downcase' ./desc.yml)" >> $GITHUB_ENV
echo "IMAGE_DESCRIPTION=$(yq '.description' ./desc.yml)" >> $GITHUB_ENV
echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./desc.yml)" >> $GITHUB_ENV
echo "IMAGE_REGISTRY=$(yq '.image-registry | downcase' ./desc.yml)" >> GITHUB_ENV
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
MAJOR_VERSION="${IMAGE_MAJOR_VERSION}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
# Using clever bash string templating, https://stackoverflow.com/q/40771781
# don't make malformed tags if $MAJOR_VERSION is empty (base-image didn't include proper labels) --
COMMIT_TAGS+=("pr-${{ github.event.number }}${MAJOR_VERSION:+-$MAJOR_VERSION}-${{ matrix.arch }}")
COMMIT_TAGS+=("${SHA_SHORT}${MAJOR_VERSION:+-$MAJOR_VERSION}-${{ matrix.arch }}")
BUILD_TAGS=("${MAJOR_VERSION}-${{ matrix.arch }}" "${MAJOR_VERSION:+$MAJOR_VERSION-}${TIMESTAMP}-${{ matrix.arch }}")
# --
BUILD_TAGS+=("${TIMESTAMP}-${{ matrix.arch }}")
BUILD_TAGS+=("latest-${{ matrix.arch }}")
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.title=${{ env.IMAGE_TITLE }}
org.opencontainers.image.ref.name=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ env.IMAGE_MAJOR_VERSION }}
org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/drakulix/infinity/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/33131755?s=200&v=4
- name: Install qemu dependency
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
archs: ${{ matrix.arch }}
build-args: |
IMAGE_MAJOR_VERSION=${{ env.IMAGE_MAJOR_VERSION }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
- name: Echo outputs
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live'
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: cosign sign --yes ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}